Home

Possible Deficiencies or am I Glossing Over Something?

%3CLINGO-SUB%20id%3D%22lingo-sub-912185%22%20slang%3D%22en-US%22%3EPossible%20Deficiencies%20or%20am%20I%20Glossing%20Over%20Something%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-912185%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20looking%20at%20Sentinel%20today%20for%20the%20first%20time%20for%20a%20company%20I've%20been%20employed%20at%2C%20and%20having%20had%20past%20experience%20with%20SIEM%20solutions%20I%20have%20a%20few%20concerns%20that%20maybe%20someone%20in%20the%20community%20could%20address%2C%20even%20if%20it's%20just%20a%20no%20or%20a%20maybe%20in%20the%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20first%20issue%20is%20with%20the%20lack%20of%20data%20normalization.%20I%20see%20this%20as%20a%20huge%20issue%20as%20you're%20now%20writing%20queries%20based%20on%20the%20format%20the%20ingested%20data%20is%20stored%20on%20and%20not%20in%20a%20standard%20format.%20E.g.%20you%20can't%20simply%20query%20all%20logs%20from%20multiple%20sources%20for%20a%20single%20known%20malicious%20IP%20picked%20up%20somewhere.%20You%20now%20have%20to%20write%20complex%20Kusto%20queries%2C%20make%20assumptions%20about%20which%20sources%20you%20need%20to%20look%20at%2C%20and%20need%20to%20know%20the%20format%20of%20each%20data%20source.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20second%20concern%20is%20that%20with%20many%20SIEMs%20you%20expect%20some%20value%20add%20and%20to%20give%20part%20of%20the%20solution%20to%20business%20services%20like%20Help%20Desks%20to%20monitor%20(where%20a%20SoC%20is%20not%20viable).%20To%20do%20this%20you%20generally%20have%20a%20simple%20GUI%20search%20form%20with%20standardized%20field%20names%20(which%20requires%20normalization).%20For%20this%20SIEM%20to%20be%20used%20in%20this%20way%20it%20appears%20that%20every%20user%20consuming%20it%20will%20either%20have%20to%20know%20how%20to%20write%20Kusto%20(or%20use%20Jupyter)%20and%20know%20the%20structure%20of%20the%20target%20data%20or%20use%20saved%20searches.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20third%20concern%20is%20that%20there%20doesn't%20seem%20to%20be%20any%20deep%20analytics%20(at%20least%20that%20the%20adminstrator%20can%20customize)%20where%20you%20can%20create%20baselines%20on%20certain%20data%20and%20detect%20anomalous%20logs.%20There%20seems%20to%20be%20some%20of%20this%20capability%20but%20it%20seems%20to%20be%20listed%20as%20%22Microsoft%20propriety%22%20and%20%22hidden%20logic%22.%20There%20is%20mention%20of%20Machine%20Learning%20Studio%20but%20I'm%20not%20sure%20how%20this%20would%20integrate%20to%20generate%20alarms.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20it%20continues%20(sorry)%20with%20my%20fourth%20concern.%20There%20doesn't%20seem%20to%20be%20a%20differentiation%20between%20alerts%20and%20alarms%2Fincidents.%20I%20think%20an%20issue%20here%20is%20that%20there%20would%20need%20to%20be%20another%20data%20store%20for%20this%20capability%20but%20in%20other%20SIEMs%20you%20can%20create%20an%20alert%20from%20a%20rule%20which%20isn't%20seen%20by%20the%20user%20and%20then%20use%20that%20rule%20to%20corroborate%20with%20other%20alerts%20to%20finally%20raise%20an%20alarm%20that%20the%20user%20sees.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20further%20concern%20is%20the%20lack%20of%20ability%20to%20pivot%2C%20this%20relates%20closely%20with%20my%20first%20and%20second%20concern%2C%20but%20to%20provide%20insight%20into%20alarms%20you%20should%20be%20able%20to%20pivot%20off%20of%20a%20normalised%20field%20and%20return%20all%20data%20that%20contains%20that%20same%20entry%2C%20e.g.%20click%20username%20and%20get%20everywhere%20the%20user%20has%20logged%20in%20or%20carried%20out%20an%20action%20(e.g.%20Workstation%2C%20VPN%2C%20Office%20365%20audit%20logs%2C%20proxy%20access%20logs%20etc.).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20also%20concerned%20rules%20aren't%20processed%20on%20the%20ingest%20pipeline%20and%20are%20through%20scheduled%20intervals.%20I'm%20hopinng%20this%20has%20minimal%20impact%20on%20the%20time%20to%20alarm.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20there's%20more%20but%20I'll%20leave%20it%20at%20that%20for%20now%2C%20looking%20forward%20to%20(hopefully)%20hearing%20the%20solutions!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-915232%22%20slang%3D%22en-US%22%3ERe%3A%20Possible%20Deficiencies%20or%20am%20I%20Glossing%20Over%20Something%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-915232%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F425577%22%20target%3D%22_blank%22%3E%40illuzian%3C%2FA%3E%26nbsp%3BI%20cannot%20address%20all%20your%20concerns%20but%20I%20have%20an%20answer%20for%20some%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%20Concern%3A%26nbsp%3B%20You%20can%20use%20the%20%22search%22%20command%20to%20search%20across%20all%20logs.%26nbsp%3B%20This%20article%20uses%20it%20for%20just%20the%20type%20of%20scenario%20you%20describe%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FSecurity-Investigation-with-Azure-Sentinel-and-Jupyter-Notebooks%2Fba-p%2F432921%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FSecurity-Investigation-with-Azure-Sentinel-and-Jupyter-Notebooks%2Fba-p%2F432921%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%20concern%3A%26nbsp%3B%20While%20there%20is%20not%20one%20out%20of%20the%20box%20you%20can%20create%20a%20workbook%20that%20can%20provide%20basic%20data%20like%20what%20you%20need%20using%20a%20text%20parameter%20for%20the%20input%20value.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThird%20concern%3A%20On%20the%20overview%20page%20is%20a%20description%20of%20how%20ML%20will%20be%20used%20in%20Sentinel%20and%20a%20link%20that%20takes%20you%20to%20this%20page%20which%20provides%20a%20good%20overview.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Freducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Freducing-security-alert-fatigue-using-machine-learning-in-azure-sentinel%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFourth%20concern%3A%26nbsp%3B%20Not%20sure%20why%20that%20is%20a%20concern.%26nbsp%3B%20It%20is%20strictly%20a%20different%20way%20of%20working%20with%20alerts%20and%20incidents.%26nbsp%3B%20And%2C%20if%20you%20have%20not%20noticed%2C%20there%20are%20times%20when%20an%20incident%20is%20comprised%20of%20multiple%20alerts%20so%20it%20does%20sort%20of%20work%20the%20way%20you%20described.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELast%20concern%3A%20If%20you%20look%20at%20the%20incident%20graphical%20investigation%20you%20will%20see%20that%20you%20can%20do%20exactly%20what%20you%20stated%20in%20an%20easy%20to%20use%20graphical%20view.%26nbsp%3B%20And%20if%20that%20does%20not%20work%2C%20you%20can%20go%20directly%20to%20the%20logs%20from%20that%20page%20or%20use%20threat%20hunting%20with%20Juypter%20notebooks%20to%20get%20even%20more%20advanced%20analysis%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-915298%22%20slang%3D%22en-US%22%3ERe%3A%20Possible%20Deficiencies%20or%20am%20I%20Glossing%20Over%20Something%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-915298%22%20slang%3D%22en-US%22%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhile%20string%20searches%20certainly%20provide%20some%20of%20the%20capability%2C%20I%20would%20consider%20it%20less-than-ideal%20due%20to%20potential%20to%20inability%20to%20cover%20certain%20scenarios%20such%20as%20source%20ip-%26gt%3Bdestination%20ip.%20You%20would%20need%20to%20search%20across%20logs%20and%20interpret%20the%20results%20or%20rely%20on%20targeting%20data%20sources%20that%20explicitly%20define%20the%20these%20fields%20or%20strings%20where%20you%20can%20regex%20the%20two.%20It%20definitely%20provides%20some%20capability%20though%20it's%20just%20not%20ideal%2Frequires%20extra%20overhead.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20guess%20for%20the%20second%20point%20it%20would%20be%20more%20valuable%20but%20again%2C%20it%20wouldn't%20be%20as%20intuitive%20as%20normalised%20fields.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20ML%20I%20guess%20it%20will%20be%20an%20adjustment%20as%20you're%20looking%20back%20on%20a%20time%20period%20and%20doing%20you're%20statistical%20analysis%20in%20query%20where%20as%20other%20SIEMs%20hold%20this%20type%20of%20data%20persistently%20and%20update%20it%20as%20required.%20As%20long%20as%20the%20solution%20is%20able%20to%20process%20theses%20more%20complicated%20queries%20efficiently%20it%20wouldn't%20really%20be%20a%20problem%20from%20an%20alerting%20perspective%20but%20it's%20certainly%20more%20overhead%20for%20rule%20design%20(imo).%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20fourth%20concern%2C%20I%20understand%20the%20concept%20and%20I%20imagine%20being%20able%20to%20achieve%20these%20types%20of%20scenarios.%20My%20only%20issue%20is%20it%20would%20likely%20be%20using%20complex%20queries%20with%20unions%20or%20joins%20etc%20that%20may%20also%20create%20overhead.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20final%20point%2C%20there's%20certainly%20some%20of%20that%20capability%20included%20but%20not%20to%20the%20same%20extent%20as%20traditional%20SIEMs.%20I%20personally%20love%20the%20idea%20of%20using%20Jupyter%20especially%20being%20an%20avid%20Pythonista%20but%20in%20a%20diverse%20security%20team%20of%20varying%20skill%20levels%20it's%20simply%20not%20ideal%20to%20expect%20all%20of%20the%20team%20to%20be%20able%20to%20build%20more%20complex%20queries%20beyond%20Kusto%20or%20even%20from%20a%20GUI.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20so%20much%20for%20replying%20though%2C%20it's%20definitely%20going%20to%20assist%20in%20completing%20our%20PoC%20of%20the%20platform.%20I'll%20have%20to%20build%20some%20examples%20out%20from%20what%20I've%20found%20valuable%20in%20the%20past%20and%20what%20you've%20suggested%20and%20see%20how%20useful%20it%20turns%20out.%3CBR%20%2F%3E%3CBR%20%2F%3EI'd%20be%20really%20interested%20in%20hearing%20from%20prior%20or%20current%20users%20of%20traditional%20SIEMs%20that%20don%E2%80%99t%20experience%20alert%20fatigue%20or%20high%20administration%20overhead%20and%20how%20they%20are%20finding%20Sentinel%20and%20some%20examples%20of%20what%20they%20are%20finding%20they%20can%20do%20more%20easily%2C%20what%20they%20couldn't%20do%20before%20and%20can%20now%2C%20and%20what%20they've%20found%20they%20can't%20do.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
illuzian
New Contributor

Hi All,

 

I've been looking at Sentinel today for the first time for a company I've been employed at, and having had past experience with SIEM solutions I have a few concerns that maybe someone in the community could address, even if it's just a no or a maybe in the future.

 

My first issue is with the lack of data normalization. I see this as a huge issue as you're now writing queries based on the format the ingested data is stored on and not in a standard format. E.g. you can't simply query all logs from multiple sources for a single known malicious IP picked up somewhere. You now have to write complex Kusto queries, make assumptions about which sources you need to look at, and need to know the format of each data source.

 

My second concern is that with many SIEMs you expect some value add and to give part of the solution to business services like Help Desks to monitor (where a SoC is not viable). To do this you generally have a simple GUI search form with standardized field names (which requires normalization). For this SIEM to be used in this way it appears that every user consuming it will either have to know how to write Kusto (or use Jupyter) and know the structure of the target data or use saved searches.

 

My third concern is that there doesn't seem to be any deep analytics (at least that the adminstrator can customize) where you can create baselines on certain data and detect anomalous logs. There seems to be some of this capability but it seems to be listed as "Microsoft propriety" and "hidden logic". There is mention of Machine Learning Studio but I'm not sure how this would integrate to generate alarms.

 

And it continues (sorry) with my fourth concern. There doesn't seem to be a differentiation between alerts and alarms/incidents. I think an issue here is that there would need to be another data store for this capability but in other SIEMs you can create an alert from a rule which isn't seen by the user and then use that rule to corroborate with other alerts to finally raise an alarm that the user sees.

 

A further concern is the lack of ability to pivot, this relates closely with my first and second concern, but to provide insight into alarms you should be able to pivot off of a normalised field and return all data that contains that same entry, e.g. click username and get everywhere the user has logged in or carried out an action (e.g. Workstation, VPN, Office 365 audit logs, proxy access logs etc.).

 

I'm also concerned rules aren't processed on the ingest pipeline and are through scheduled intervals. I'm hopinng this has minimal impact on the time to alarm.

 

I think there's more but I'll leave it at that for now, looking forward to (hopefully) hearing the solutions!

 

 

2 Replies

@illuzian I cannot address all your concerns but I have an answer for some

 

First Concern:  You can use the "search" command to search across all logs.  This article uses it for just the type of scenario you describe: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Security-Investigation-with-Azure-Sentinel-and...

 

Second concern:  While there is not one out of the box you can create a workbook that can provide basic data like what you need using a text parameter for the input value.

 

Third concern: On the overview page is a description of how ML will be used in Sentinel and a link that takes you to this page which provides a good overview.  https://azure.microsoft.com/en-us/blog/reducing-security-alert-fatigue-using-machine-learning-in-azu...

 

Fourth concern:  Not sure why that is a concern.  It is strictly a different way of working with alerts and incidents.  And, if you have not noticed, there are times when an incident is comprised of multiple alerts so it does sort of work the way you described.

 

Last concern: If you look at the incident graphical investigation you will see that you can do exactly what you stated in an easy to use graphical view.  And if that does not work, you can go directly to the logs from that page or use threat hunting with Juypter notebooks to get even more advanced analysis

 

 

 

Thanks @Gary Bushey

While string searches certainly provide some of the capability, I would consider it less-than-ideal due to potential to inability to cover certain scenarios such as source ip->destination ip. You would need to search across logs and interpret the results or rely on targeting data sources that explicitly define the these fields or strings where you can regex the two. It definitely provides some capability though it's just not ideal/requires extra overhead.

I guess for the second point it would be more valuable but again, it wouldn't be as intuitive as normalised fields.

For the ML I guess it will be an adjustment as you're looking back on a time period and doing you're statistical analysis in query where as other SIEMs hold this type of data persistently and update it as required. As long as the solution is able to process theses more complicated queries efficiently it wouldn't really be a problem from an alerting perspective but it's certainly more overhead for rule design (imo).

For the fourth concern, I understand the concept and I imagine being able to achieve these types of scenarios. My only issue is it would likely be using complex queries with unions or joins etc that may also create overhead.

For the final point, there's certainly some of that capability included but not to the same extent as traditional SIEMs. I personally love the idea of using Jupyter especially being an avid Pythonista but in a diverse security team of varying skill levels it's simply not ideal to expect all of the team to be able to build more complex queries beyond Kusto or even from a GUI.

Thanks so much for replying though, it's definitely going to assist in completing our PoC of the platform. I'll have to build some examples out from what I've found valuable in the past and what you've suggested and see how useful it turns out.

I'd be really interested in hearing from prior or current users of traditional SIEMs that don’t experience alert fatigue or high administration overhead and how they are finding Sentinel and some examples of what they are finding they can do more easily, what they couldn't do before and can now, and what they've found they can't do.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies